Assessing the Security of the Cloud What Should you ask your vendors? Steve Deitrick, VP, Global Information Security John Heimann, VP, Global Product Security Jari Peters, VP, Security, Risk Management and Regulatory Compliance October 25, 2018

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Session Objective Give you tips and techniques on how to assess the security of your cloud vendors: What do you need to consider when moving to the cloud? What goes into securing a cloud? How do you ask about it? How should IaaS/PaaS/SaaS/DaaS offerings affect your security expectations?

Panelist Introductions Steve Deitrick Vice President, Global Information Security (GIS) John Heimann Vice President, Global Product Security (GPS) Security Program Management (SPM) Jari Peters Vice President, Security, Risk Management and Regulatory Compliance, Global Business Units

Why are you considering the cloud? Cost Flexibility Scalability Security Professional management/patching/operations

Specific requirements: Security and Compliance Requirements Regulatory, Industry and Corporate Security Requirements – Example GLBA, GDPR, SOC1/2, HIPAA, PCI DSS, ISO 27001 Attestations/Audits/Certifications Available Direct Audit of Cloud – If Supported Scanning/Penetration Testing – If Supported Monitoring – Preventative and Detective Security Incident Response – Monitoring, Logging, Response and Notification Operational Requirements SLA– Availability, Backups, DR Secure Integrations Between Cloud(s) and On-Premise Systems Level of Access you need to the Cloud Configuration/Change/Release Management Vulnerability Management/Security Fixes Access Control for Admins and End Users Data Retention, Deletion and Portability Backup and DR Testing

What does it take to securely deliver cloud services? The obvious things: Operational security – who has access to your data and how is protected? Independent validations - Pentesting

What does it take to securely deliver cloud services? The not-so obvious things: Supply chain – components developed in-house? (and reliance on open source and third party components) Architecture – multitenancy? Development assurance – building security in vs. bolting it on?

Why does Oracle have a unique perspective? Oracle is a cloud service provider IaaS, PaaS, SaaS, DaaS Oracle is in a unique position for its cloud supply chain (see next point) Oracle is a cloud technology vendor Hardware Operating system/VM Platform (Database, Java) Applications Oracle is a cloud customer (we run our business on our cloud services and technologies) We also deal with third-party cloud vendors when we acquire organizations

What is the role of customer vs. provider for cloud security? It depends on: Type of cloud service For SaaS, provider does almost everything For IaaS, provider secures technical infrastructure and customer has to do almost everything Don’t assume your vendor will perform security functions they don’t claim to do Single vs. multi-vendor approach Multiple cloud vendors means customer has to do integration and management across vendors Vertical (Iaas/PaaS/SaaS) and horizontal (multiple vendors’ PaaS or SaaS application) integration may be required

What can you determine about your providers’ security? How should you ask your provider about security? Make use of standard questionnaires such as SIG and CAIQ Always ask in the context of the data type you’re expecting to place in the cloud, and the regulatory framework you have to abide to What are the value and limitations of third party Pen Tests or scans? Trust but verify: such tests cannot provide you an exhaustive view of your supplier’s security practices Understand that most Cloud providers do not have more insight into the technologies they’re using than you do This is why Oracle Software Security Assurance is important

Conclusion Security in the cloud requires customers’ involvement (shared security model) One size does not fit all (let your requirements determine fit) Compliance in the cloud doesn’t happen magically You need to understand that securing a cloud is a complex and multi- facetted discipline Ask the right questions: be specific and disciplined